Application Scan Tab

The application Scan tab provides various statuses related to your selected application and lets you configure and schedule future scans.

Scan Configuration

Click on Scan Configuration to configure your scan. Here you can select a scan profile if desired (Default, SCA only, Mobile, Web, or Desktop Application), enable or disable directed remediation, exclude particular languages or files, and/or upload a configuration file (Maven, Gradle, NuGet, NPM, Composer, Yarn, or Bower).
Scan Schedule

Refer to Scheduling an Application Scan for guidance on this.
Start Pre-Scan

Start Pre-Scan is only available for applications that have never been scanned before. Once an application has been scanned once, this option is removed for that particular application.

To run a pre-scan (which will determine the license requirements) click on Start Pre-Scan. A green banner is displayed for success, but if there is an error, you will see a red banner.

Pre-scan typically completes in under 30 minutes and does not consume any licenses. It does not verify or display any vulnerabilities, but rather it is a lightweight scan intended for the following purposes:
- to validate scan configurations and codebase access, including the ability to check out code.
- to check for scan errors and missing dependencies.
- to count the lines of code and determine the file size, to determine the type of license required for a full scan.
- to provide a list of files scanned to allow you to exclude files that should not be included in the full scan.
Scan Now

Clicking on Scan Now assigns an appropriate license to this application if necessary and begins the scan. If an appropriate license is not available, the request will be rejected and you will see a red banner.

Full Scan may take up to 24 hours to complete, depending on your application’s complexity and the process will consume one license. This is a deep scan intended for the following purposes:
- to perform full static or binary analysis of your application.
- to perform Software Composition Analysis and identify open-source and third-party libraries used in your application, with the version, license information and CVEs if available.
- to verify and display security vulnerabilities found in your application.

Scan status fields:

Field No.	Field Name	Description
5a	Scan Status	This shows the status of the current scan. This may be Complete, Scan Running, Failed, or WHS Updating Configuration (Scans are paused for some kinds of maintenance).
5b	Scan Schedule	This displays the scanning schedule for the selected application.
5c	Next Scan Scheduled	The date on which the next scan is scheduled to begin.
5d	WhiteHat Asset Size	The relative size of the asset being scanned, according to Black Duck’s terminology.
5e	Code Sent to WhiteHat (%)	The percentage of the code scanned that was sent to Black Duck as 'code snippets' to verify potential vulnerabilities.
5f	Last Completed Scan	Most recent date on which a scan was completed.
5g	Last Scan Request By	Provides the name of the user that requested the last scan.
5h	Lines of Code Scanned	Number of lines of code covered in the most recent scan.
5i	Average Lines of Code Scanned	Number of lines of code scanned on average overall.
5j	Last Scanned File Size	File size of the asset in the most recent scan.
5k	Average Scanned File Size	Average file size scanned overall.
5l	Potential Vulnerabilities - Scanner Found	The number of possible vulnerabilities identified by the scan.
5m	Open Vulnerabilities - Verified	The number of verified vulnerabilities currently open for this asset.
5n	Extensions Scanned	This table provides a list of the file types and the count for each file type scanned.

Field No.

Field Name

Description

Scan Status

This shows the status of the current scan. This may be Complete, Scan Running, Failed, or WHS Updating Configuration (Scans are paused for some kinds of maintenance).

Scan Schedule

This displays the scanning schedule for the selected application.

Next Scan Scheduled

The date on which the next scan is scheduled to begin.

WhiteHat Asset Size

The relative size of the asset being scanned, according to Black Duck’s terminology.

Code Sent to WhiteHat (%)

The percentage of the code scanned that was sent to Black Duck as 'code snippets' to verify potential vulnerabilities.

Last Completed Scan

Most recent date on which a scan was completed.

Last Scan Request By

Provides the name of the user that requested the last scan.

Lines of Code Scanned

Number of lines of code covered in the most recent scan.

Average Lines of Code Scanned

Number of lines of code scanned on average overall.

Last Scanned File Size

File size of the asset in the most recent scan.

Average Scanned File Size

Average file size scanned overall.

Potential Vulnerabilities - Scanner Found

The number of possible vulnerabilities identified by the scan.

Open Vulnerabilities - Verified

The number of verified vulnerabilities currently open for this asset.

Extensions Scanned

This table provides a list of the file types and the count for each file type scanned.

Scan Log

The Scan Log table at the bottom of this screen essentially provides an application scan history for the user. It records the following:
1. Scan Completed Date, which notes the completion date and timestamp for every scan performed on the selected application.
2. The File Size that was scanned.
3. The number of Lines of Code Scanned.
4. The Codebase Metadata. When View is clicked, the following information displays:
  - The scanned repository Name.
  - The URL to the scanned repository.
  - The Revision sha which notes the exact revision of the codebase that was scanned.

If no codebase metadata exists, the View link will not appear next to that particular scan.

Application Scan Tab

Video Tutorial - SAST Scan Tab